[squid-users] HSTS and MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
Erdosain9
erdosain9 at gmail.com
Tue Aug 9 21:07:56 UTC 2016
Hi to all.
I keep trying to achieve inspect https. I think I'm close to doing. This is
my current configuration relative to ssl-bump.
-
# Squid listen Port
http_port 192.168.1.215:3128
https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem
key=/etc/squid/ssl_cert/myca.pem
#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
-
-
- *Im having this error in firefox.*
*when try google.com <http://google.com>*
The owner of www.google.com has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox only connect to it securely. As a result, it is not possible to add
an exception for this certificate.
*or yahoo.com <http://yahoo.com>*
https://search.yahoo.com/yhs/search?p=X.509+version+1+
certificates+are+deprecated&ei=UTF-8&hspart=mozilla&hsimp=yhs-005
An X.509 version 1 certificate that is not a trust anchor was used to
issue the server's certificate. X.509 version 1 certificates are deprecated
and should not be used to sign other certificates.
HTTP Strict Transport Security: true
HTTP Public Key Pinning: false
*MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA*
When i create self-signed certificate, i do like this:
-
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes *-x509
*-keyout myCA.pem -out myCA.pem
so what can i change to avoid the problem???
Thanks to all!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160809/45ab4304/attachment-0001.html>
More information about the squid-users
mailing list